We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.
Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.
That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.
Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.
Joomla’s Force Persuasion
Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append
?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.
There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be.
ClamAV Chokes on DMG and HFS
You may not be familiar with ClamAV. It’s an open source antivirus, and it’s mainly used for automatically scanning emails and attachments. If your email flows through a Linux-based mail server, there’s a decent chance ClamAV does a virus check on your incoming mail. Which is why the pair of vulnerabilities just announced could be really bad news.
ClamAV does more than simple hash value comparisons, and for some file types, it processes, decompresses, and otherwise parses the file looking for malicious data. That sort of detailed investigation is a two-edged sword. Yes, it will catch more malware, but it only takes one error in a parser to have a problem. And ClamAV had two.
CVE-2023-20052 is an XML eXternal Entity injection (XXE) in the handling of DMG files. This injection can potentially lead to remote information leak, and rudimentry details are available online. Third party researchers have managed a file leak when ClamAV is run in debug mode. Based on the advisory, there’s more to the story.
And then CVE-2023-20032 is the bad one. HFS+ files can be malformed to trigger a heap buffer overflow. It’s a simple flaw, that allows an attacker to specify the memory allocation, the data to copy, as well as the data length to write. Sounds like trivial Remote Code Execution — except, as pointed out by the OneKey researchers, every Linux distribution worth its salt is using the NX bit, a stack canary, Position Independent Executables, and other hardening techniques to make exploitation difficult. At the very least, turning this into a full RCE is going to take an additional information leakage vulnerability, likely one more usable than the XML problem mentioned above. Even without that, this flaw makes it trivial to crash the ClamAV process on a mail server. Regardless, updates have been released fixing these two issues.
Bits and Bytes
After legitimate business forged the way with *-as-a-Service offerings, criminals have followed suit, most notably with spam and ransomware offerings. Now we can add yet another service to the ranks, phishing as a service. And that’s a fun read, because the researchers at Cyberark found an archive on the phishing server, and used the information to infiltrate the scammer’s Telegram channel.
Browser extensions. Just how dangerous can they be? [Matt Frisbie] takes a look, and demonstrates what we should already know: running untrusted code is a bad idea. The good news is that the permission request is accurate, but most browser extensions need dangerous permissions to do anything useful. And keep in mind that any trustworthy browser extension is one update away from being malicious, a-la The Great Suspender and others.
Want to dive down the rabbit hole of PlayStation vulnerability and homebrew research? It’s a follow-on to mast1c0re, all about triggering a bug in the PS4 and PS5’s PS2 emulation, and then escaping that emulation context. Maybe we’ll see a return of installing Linux on newer PlayStations as a result?
Security research on Apple’s MacOS and iOS platforms continues, with the recent discovery of a new vulnerability. This one is based on See No Eval, and it’s all about abusing the
NSPredicate feature. It looks like a limited-use class for data filtering, but really allows for arbitrary code to be run in another process. The new news is that some of the mitigations for this exploit are easily sidestepped, just by asking nicely.
Now for a final pair of stories that aren’t quite fully baked this week: Look forward to a new stable release of ZoneMinder to fix some flaws found in a Capture the Flag event, coming Soon(tm)! Update: It’s here And why has Intel published a brand new security advisory for a BMC flaw that was found and fixed in 2021? Mysteries abound.